MFC r326233:

Add to ipfw support for sending an SCTP packet containing an ABORT chunk.
This is similar to the TCP case. where a TCP RST segment can be sent.

There is one limitation: When sending an ABORT in response to an incoming
packet, it should be tested if there is no ABORT chunk in the received
packet. Currently, it is only checked if the first chunk is an ABORT
chunk to avoid parsing the whole packet, which could result in a DOS attack.

Thanks to Timo Voelker for helping me to test this patch.

MFC r327200:

When adding support for sending SCTP packets containing an ABORT chunk
to ipfw in https://svnweb.freebsd.org/changeset/base/326233,
a dependency on the SCTP stack was added to ipfw by accident.

This was noted by Kevel Bowling in https://reviews.freebsd.org/D13594
where also a solution was suggested. This patch is based on Kevin's
suggestion, but implements the required SCTP checksum computation
without any dependency on other SCTP sources.

While there, do some cleanups and improve comments.

Thanks to Kevin Kevin Bowling for reporting the issue and suggesting
a fix.

3 files changed, 26 insertions, 0 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index b2f4d51..c1bb718 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1173,6 +1173,14 @@ ipfw add reass all from any to any in
 .Ed
 .Pp
 is all you need at the beginning of your ruleset.
+.It Cm abort
+Discard packets that match this rule, and if the packet is an SCTP packet,
+try to send an SCTP packet containing an ABORT chunk.
+The search terminates.
+.It Cm abort6
+Discard packets that match this rule, and if the packet is an SCTP packet,
+try to send an SCTP packet containing an ABORT chunk.
+The search terminates.
 .El
 .Ss RULE BODY
 The body of a rule contains zero or more patterns (such as
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index fe0da3c..1e1ec5c 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -244,6 +244,8 @@ static struct _s_x rule_eactions[] = {
 };
 
 static struct _s_x rule_actions[] = {
+	{ "abort6",		TOK_ABORT6 },
+	{ "abort",		TOK_ABORT },
 	{ "accept",		TOK_ACCEPT },
 	{ "pass",		TOK_ACCEPT },
 	{ "allow",		TOK_ACCEPT },
@@ -1507,6 +1509,8 @@ show_static_rule(struct cmdline_opts *co, struct format_opts *fo,
 		case O_REJECT:
 			if (cmd->arg1 == ICMP_REJECT_RST)
 				bprintf(bp, "reset");
+			else if (cmd->arg1 == ICMP_REJECT_ABORT)
+				bprintf(bp, "abort");
 			else if (cmd->arg1 == ICMP_UNREACH_HOST)
 				bprintf(bp, "reject");
 			else
@@ -1516,6 +1520,8 @@ show_static_rule(struct cmdline_opts *co, struct format_opts *fo,
 		case O_UNREACH6:
 			if (cmd->arg1 == ICMP6_UNREACH_RST)
 				bprintf(bp, "reset6");
+			else if (cmd->arg1 == ICMP6_UNREACH_ABORT)
+				bprintf(bp, "abort6");
 			else
 				print_unreach6_code(bp, cmd->arg1);
 			break;
@@ -3755,6 +3761,16 @@ compile_rule(char *av[], uint32_t *rbuf, int *rbufsize, struct tidx *tstate)
 		errx(EX_DATAERR, "Invalid state name %s", *av);
 		break;
 
+	case TOK_ABORT:
+		action->opcode = O_REJECT;
+		action->arg1 = ICMP_REJECT_ABORT;
+		break;
+
+	case TOK_ABORT6:
+		action->opcode = O_UNREACH6;
+		action->arg1 = ICMP6_UNREACH_ABORT;
+		break;
+
 	case TOK_ACCEPT:
 		action->opcode = O_ACCEPT;
 		break;
diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h
index 1ff9c38..8befdc9 100644
--- a/sbin/ipfw/ipfw2.h
+++ b/sbin/ipfw/ipfw2.h
@@ -81,6 +81,8 @@ enum tokens {
 	TOK_STARTBRACE,
 	TOK_ENDBRACE,
 
+	TOK_ABORT6,
+	TOK_ABORT,
 	TOK_ACCEPT,
 	TOK_COUNT,
 	TOK_EACTION,